This post is about an issue that was causing VPN Clients not being able to establish a VPN connection with ISA Server 2006.
When testing the VPN Client access in this particular scenario we could see on ISA Server Logging that the system rule that allows VPN Client access was identified but it shows an error saying: Failed Connection Attempt:
Using the command netstat -nao we verified that there was no process listening on port 1723, which is not correct since svchost.exe should be listening on TCP 1723 when ISA has VPN Enabled. The other non expected behavior was notice in the RRAS Manager that has no PPTP ports available as shown below:
It turns out that there was a server publishing rule that was using custom protocols on high ports (1500 to 2000) and causing RRAS not being able to grab TCP port 1723. After deleting this rule and restarting the Microsoft Firewall Service the issue was resolved.
Sr. Support Engineer
Microsoft CSS Security Team
Sr Security Support Escalation Engineer
Microsoft CSS Forefront Edge Team